As a kid, I remember being proud of the stamps in my passport so I could show my grandparents which countries I had visited. Nowadays, there are only a few countries that even issue stamps for a passport. Going from country to country has been made easy.

When you (as an organization or an individual) put data into the cloud, you know that you are handing it over to a provider who may have data centers in many places, countries or even continents. These days, most people understand that storing data in the cloud means that your data needs to be physically stored on a device somewhere, though it is accessible anywhere. What most people don’t realize is where their data is going, where it travels through and where it is heading next.

Data Travels in the Cloud

As your cloud data traverses the world, it would be nice if you knew where it went. Governments are increasingly demanding that organizations can verify where the data they upload to the cloud goes. They are holding the uploaders accountable — in some cases even penalizing them if data passes certain borders unexpectedly or without permission.

For a regular customer using a cloud-based application, it is not easy to understand where the data you are accessing is really stored. The application or platform provider may be based in London, but the servers might be in Amsterdam, the U.S. or the Far East. Your data may reside in a data center in the U.K. today but be moved to Bangalore as part of an optimization process tomorrow.

And what about those cloud and mobile applications that you never authorized? Thanks to transformations in cloud and mobile, employees can sign up for new digital services with only a few clicks. Some of these tools and cloud-based technologies give employees immediate access to the productivity and collaboration they need to do their jobs much more efficiently than established or authorized apps allow. It’s the way people now want to work.

Whether it’s allowed by employers or not, they’re still going to use outside tools and upload company data to them. In a recent study, it was discovered that 1 in 3 employees at Fortune 1000 companies share and upload corporate data on third-party cloud apps.

Approaches to Data Protection

Organizations realize they need to deal with this challenge, and we see two possible starting points.

1. Legal/Procedural Approach

During the formal acquisition process for a new cloud, mobile or software-as-a-service (SaaS) provider, organizations may have to go through a step in which they involve the legal department to ask a series of questions related to business risk, data privacy and compliance. The legal team may have a checklist and can ask the cloud vendor to document the flow of the data. They may even require specific legal contracts such as EU model clauses to be put in place to govern data privacy requirements as per individual country laws.

This approach works well in situations where authorization of the use of cloud apps and services is formally requested. However, the reality is that many cloud and SaaS applications are activated by employees without prior authorization from the employer. Furthermore, the setup of the cloud provider may change. How do you ensure your organization is on top of this so-called shadow IT, and how do you deal with changes over time?

2. Network/Security Approach

Your organization may have already deployed technologies capable of analyzing network traffic such as Web application firewalls (WAF), intrusion detection solutions (IDS) or intrusion prevention systems (IPS). If these technologies cover the entire enterprise network, they can provide a good starting point for analyzing the extent of unauthorized use. If such technologies only cover part of the network, ask if there is appetite to make further capital investments in network hardware or if it is more efficient to consider SaaS to support the automated detection phase.

Organizations should integrate their legal/procedural approach with their network/security approach to gain the appropriate insight into the risk and mitigation associated with cloud security.

Ask the Right Questions

Related to cloud security governance, organizations should ask themselves the following questions:

  • What SaaS, cloud and mobile applications do your employees use?
  • Can you leverage existing technology for inspecting network traffic? Is there an opportunity to introduce automated discovery technology that can help discover authorized and unauthorized SaaS use and country-level data flows?
  • Have you made an inventory of the specific risks associated with cloud, SaaS and mobile for your organization? Did you design specific business controls to mitigate the risks related to cloud security?
  • Do you require the business owners of SaaS, cloud and mobile applications to comply with a cloud security governance process that checks against a series of business controls?

It all comes down to your appetite for taking risks. Organizations should design their cloud security governance process based on their own profile and policy, the requirements of the industry and geography they operate in and their own specific preferences.

More from Cloud Security

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…

How IBM Secured the 2022 US Open

Throughout the US Open Tennis Championship, the infrastructure for USOpen.org and the mobile apps can see upwards of 3 million security events. While the vast majority of events are not serious, security analysts must quickly determine which are concerning to take immediate action. However, with such a large volume and variety of data, security analysts need to know where to focus their attention. As the host of the digital platforms and official digital innovation partner for the US Open Tennis…